TeamPCP Releases Telnyx Versions on PyPI, Conceals Malicious Stealer in WAV Files

TeamPCP Compromises Telnyx Python Package with Credential Harvesting Malware

TeamPCP, the threat actor responsible for the recent supply chain attack on Trivy, KICS, and litellm, has now targeted the telnyx Python package by introducing two malicious versions to steal sensitive data.

The malicious versions, 4.87.1 and 4.87.2, were uploaded to the Python Package Index (PyPI) repository on March 27, 2026. These versions concealed their credential harvesting capabilities within a .WAV file. Users are advised to downgrade immediately to version 4.87.0 as the PyPI project is currently under quarantine.

Reports from Aikido, Endor Labs, Ossprey Security, SafeDep, Socket, and StepSecurity indicate that the malicious code is injected into “telnyx/_client.py,” triggering it when the package is imported into a Python application. The malware is designed to target Windows, Linux, and macOS systems.

Socket’s analysis reveals a three-stage attack chain on Linux/macOS involving delivery via audio steganography, in-memory execution of a data harvester, and encrypted data exfiltration. This entire process operates within a self-destructing temporary directory to leave minimal forensic traces on the host.

On Windows systems, the malware downloads a file named “hangup.wav” from a command-and-control (C2) server, extracting an executable that is then placed in the Startup folder as “msbuild.exe” for persistence across system reboots. Meanwhile, on Linux or macOS, a different .WAV file, “ringtone.wav,” is fetched to execute a third-stage collector script for data exfiltration.

Ossprey Security highlights the use of audio steganography as a standout technique in this attack, concealing the final payload within a .WAV file to evade detection. The method of obtaining the PYPI_TOKEN by TeamPCP remains unclear, but it is speculated to have been acquired through prior credential harvesting operations.

Endor Labs researchers suggest that the compromised PYPI_TOKEN may have been obtained during the litellm compromise, where TeamPCP harvested environment variables, .env files, and shell histories containing sensitive information. The attack strategy differs between Windows and Linux/macOS, with Windows focusing on persistence and Linux/macOS on swift data harvesting and exfiltration.

This incident follows TeamPCP’s distribution of trojanized versions of the litellm Python package to steal cloud credentials and keys. The evolution of this supply chain attack strategy indicates a shift towards infecting trusted packages with large user bases to maximize impact and widen the attack surface.

Developers are advised to audit Python environments for compromised versions, rotate all secrets, check for malicious files in the Windows Startup folder, and block known malicious domains to mitigate the threat. The attack on the telnyx package is part of a larger campaign by TeamPCP collaborating with other cybercriminal groups for extortion and ransomware activities.

This trend also highlights the increased focus of ransomware groups on leveraging supply chain attacks targeting open source infrastructure as an entry point for further malicious activities. The importance of securing CI/CD environments and associated tools is emphasized to prevent such attacks in the future.